Privacy Policy

1. Data Controller

Devtower Ltd (“we”, “us”, “our”) is the data controller for personal data processed through the Approvox platform. We are registered in England and Wales. For data protection enquiries, contact us at privacy@approvox.co.uk.

2. What Data We Collect

We collect and process the following categories of personal data:

• Account data: name, email address, hashed password, firm name, role
• Communication data: questions submitted by Clients, answers drafted by AI and approved by accountants, thread metadata
• Audit data: timestamps, action types, actor identities, AI model information, and prompt hashes for every action in the platform
• Payment data: processed by Stripe; we store only Stripe customer IDs and subscription IDs, not card details
• Technical data: IP address, browser type, and usage logs for security and performance purposes

3. Legal Basis for Processing

We process your personal data on the following legal bases under the UK GDPR:

• Contract performance (Article 6(1)(b)): to provide the Service as agreed in our Terms of Service
• Legitimate interests (Article 6(1)(f)): to maintain security, prevent fraud, and improve the Service
• Legal obligation (Article 6(1)(c)): to comply with applicable laws and regulatory requirements

4. How We Use AI

We use third-party AI models (currently provided by Anthropic) to generate draft answers to Client questions. Client questions are sent to the AI provider for processing. We do not use Client data to train AI models. AI-generated drafts are stored within the Service and are subject to the same data protection measures as all other platform data. A hash of each AI prompt is stored in the audit trail for reproducibility and compliance purposes.

5. Data Sharing

We share personal data with the following categories of recipients:

• AI providers: Anthropic (Claude) for generating draft answers
• Payment processor: Stripe for subscription billing
• Email provider: for sending notification emails
• Hosting provider: for infrastructure and data storage

We do not sell personal data to third parties. We do not share personal data for marketing purposes without explicit consent.

6. Data Security

We implement appropriate technical and organisational measures to protect personal data, including encryption at rest and in transit, access controls, audit logging, and regular security reviews. All data is processed within the United Kingdom.

7. Data Retention

We retain personal data for as long as your account is active. Following account termination, we retain data for 90 days to allow for reactivation. Audit log data may be retained for up to 7 years in accordance with professional regulatory requirements. You may request earlier deletion of your data, subject to our legal obligations.

8. Your Rights

Under the UK GDPR, you have the following rights:

• Right of access to your personal data
• Right to rectification of inaccurate data
• Right to erasure (subject to legal obligations)
• Right to restrict processing
• Right to data portability
• Right to object to processing

To exercise any of these rights, contact us at privacy@approvox.co.uk. We will respond within 30 days.

9. Cookies

We use essential cookies for authentication and session management. These cookies are necessary for the Service to function and cannot be disabled. We do not use advertising or tracking cookies.

10. Complaints

If you are unhappy with how we handle your personal data, you have the right to lodge a complaint with the Information Commissioner’s Office (ICO) at ico.org.uk.